[FIX] runbot_merge: security concern

The webhook used the "sender" of the event as comment author, however if the comment is edited by a maintainer github sends a "issue_comment" event with that maintainer as sender. This means a random user could create a comment with a robodoo command, and if a registered reviewer happened to edit the comment the command would suddenly be taken in account. This was not the intention.
2025-03-15 23:45:44 +07:00 · 2018-09-24 10:06:58 +02:00 · 2018-09-24 10:06:58 +02:00 · 7fc7b78a04
commit 7fc7b78a04
parent ac2adfbdea
2 changed files with 2 additions and 3 deletions
--- a/runbot_merge/controllers/init.py
+++ b/runbot_merge/controllers/init.py
@ -215,7 +215,7 @@ def handle_comment(env, event):

    repo = event['repository']['full_name']
    issue = event['issue']['number']
-    author = event['sender']['login']
+    author = event['comment']['user']['login']
    comment = event['comment']['body']
    _logger.info('comment: %s %s:%s "%s"', author, repo, issue, comment)

--- a/runbot_merge/tests/fake_github/init.py
+++ b/runbot_merge/tests/fake_github/init.py
@ -747,8 +747,7 @@ class Client(werkzeug.test.Client):
            'action': 'created',
            'issue': { 'number': issue.number },
            'repository': self._repo(issue.repo.name),
-            'sender': { 'login': user },
-            'comment': { 'body': body },
+            'comment': { 'body': body, 'user': {'login': user } },
        }
        if isinstance(issue, PR):
            contents['issue']['pull_request'] = { 'url': 'fake' }